-1

I've been trying to work out if it is possible to authorize communication between a mobile app and my ASP.NET web api service without the user having to authenticate with a username and password. This is important because users of my app don't login at all and never will. All traffic will of course be sent over HTTPS.

This means I can't use OAUTH or BASIC authentication to authenticate the traffic as these require credentials.

So I need some method to securely store some kind of authentication token that is packaged in the app that is only accessed when it needs to communicate to the server and can't be "discovered" by a determined hacker.

This may of course not be possible.

Thanks.

Guy Lowe
  • 2,115
  • 1
  • 27
  • 37

1 Answers1

1

In general it is not possible. Your server should never trust it's clients. Hackers can examine your client app and create equivalent one.

But you can make life of hackers significantly harder, if you:

  1. Use custom cliest sertificat for HTTPS, look here.
  2. Use temporary access keys in http request. Application should request for new temporary access key your server. Part of the key server will send in response and another part will be sent via Cloud Messaging. Combine parts of the key in some non-trivial way.
  3. Obfuscate your app.
Community
  • 1
  • 1
light_keeper
  • 627
  • 5
  • 15
  • Thanks. My research has shown me that this is indeed not possible. You can also use SSL Pinning but that requires you to bundle your certificate with your app and it will eventually expire anyway requiring you to update your app. – Guy Lowe Dec 28 '15 at 05:09